From 2b4ea24b59a068321be15ed64b62770cf5540acb Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Thu, 12 May 2022 13:00:08 +0200 Subject: [PATCH] Updated Readme and remove old script --- README.md | 126 ++++++++++++++++------------------- lib/add_bc_user.sh | 21 +----- lib/init-test-environment.sh | 45 ------------- 3 files changed, 58 insertions(+), 134 deletions(-) delete mode 100755 lib/init-test-environment.sh diff --git a/README.md b/README.md index 4a54d29..6224956 100644 --- a/README.md +++ b/README.md @@ -79,64 +79,46 @@ For running your bridgehead we recommend the follwing Hardware: Before starting the installation process, please ensure that following software is available on your system: -//Remove -#### [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) - -To check that you have a working git installation, please run -``` shell -cd ~/; -git clone https://github.com/octocat/Hello-World.git; -cat ~/Hello-World/README; -rm -rf Hello-World; -``` -If you see the output "Hello World!" your installation should be working. - - //Just install docker-compose und docker with version #### [Docker](https://docs.docker.com/get-docker/) -To check your docker installation, you can try to execute dockers "Hello World" Image. The command is: -``` shell -docker run --rm --name hello-world hello-world; -``` -Docker will now download the "hello-world" docker image and try to execute it. After the download you should see a message starting with "Hello from Docker!". - -> NOTE: If the download of the image fails (e.g with "connection timed out" message), ensure that you have correctly set the proxy for the docker daemon. Refer to ["Docker Daemon Proxy Configuration" in the "Pitfalls" section](#docker-daemon-proxy-configuration) - -You should also check, that the version of docker installed by you is newer than "1.20". To check this, just run +To check your docker installation, you should execute the docker with --version: ``` shell docker --version ``` -#### [Docker Compose](https://docs.docker.com/compose/cli-command/#installing-compose-v2) - -To check your docker-compose installation, please run the following command. It uses the "hello-world" image from the previous section: -``` shell -docker-compose -f - up < NOTE: If the download of the image fails (e.g with "connection timed out" message), ensure that you have correctly set the proxy for the docker daemon. Refer to ["Docker Daemon Proxy Configuration" in the "Pitfalls" section](#docker-daemon-proxy-configuration) + #### [systemd](https://systemd.io/) -You shouldn't need to install it yourself. If systemd is not available on your system you should get another system. +You shouldn't need to install it yourself, If systemd is not available on your system you should get another system. To check if systemd is available on your system, please execute ``` shell systemctl --version ``` +If systemd is not installed, you can start the bridgehead but for productive use we recomend using systemd. + --- ## Getting Started @@ -150,9 +132,7 @@ sudo mkdir -p /srv/docker/; sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead; ``` -When using the systemd services we you need to create a bridgehead user for security reasons. This should be done after clone the repository. Since not all linux distros support ```adduser```, we provide a action for the systemcall ```useradd```. - -// +It is recomended to create a user for the bridgehead service. This should be done after clone the repository. Since not all linux distros support ```adduser```, we provide an action for the systemcall ```useradd```. You should try the first one, when the systm can't create the user you should try the second one. ``` shell adduser --no-create-home --disabled-login --ingroup docker --gecos "" bridgehead @@ -163,15 +143,19 @@ useradd -M -g docker -N -s /sbin/nologin bridgehead chown bridgehead /srv/docker/bridgehead/ -R ``` +### Configuration -Next, you need to configure a set of variables, specific for your site with not so high security concerns. You can visit the configuration template at [GitHub](https://github.com/samply/bridgehead-config). You can download the repositories contents and add them to the "bridgehead-config" directory. +> NOTE: If you are part of the CCP-IT we will provide you another link for the configuration. + +Next, you need to configure a set of variables, specific for your site with not so high security concerns. You can visit the configuration template at [GitHub](https://github.com/samply/bridgehead-config). You can download the repositories contents and add them to the "bridgehead" directory. ``` shell sudo git clone https://github.com/samply/bridgehead-config.git /etc/bridgehead; ``` -> NOTE: If you are part of the CCP-IT we will provide you another link for the configuration. -You should now be able to run a bridgehead instance. To check if everything works, execute the following: +### Testing your bridgehead + +Now you ready to run a bridgehead instance. To check if everything works, execute the following: ``` shell /srv/docker/bridgehead/bridgehead start ``` @@ -183,34 +167,40 @@ To shutdown the bridgehead just run. /srv/docker/bridgehead/bridgehead stop ``` -We recommend to run first with the start and stop script and if aviable run the systemd service, which also enables automatic updates and more. +We recomend to run first with the start and stop script and if aviable run the systemd service, which also enables automatic updates and more. If you have trouble starting the bridghead have a look at the troubleshooting section. -### Systemd service +### Systemd service configuration For a server, we highly recommend that you install the system units for managing the bridgehead, provided by us. You can do this by executing the [bridgehead](./bridgehead) script: ``` shell sudo /srv/docker/bridgehead/bridgehead install ``` -Finally, you need to configure your sites secrets. These are places as configuration for each bridgeheads system unit. Refer to the section for your specific project: +Finally, you need to configure your sites secrets. These are places as configuration for each bridgehead system unit. Refer to the section for your specific project: -For Every project you need to set the proxy this way, if you have a proxy. +For Every project you need to set the proxy this way, if you have one. This is done with the ```systemctl edit``` comand. + +``` shell +sudo systemctl edit bridgehead@.service; +sudo systemctl edit bridgehead-update@.service; +``` ``` conf [Service] -Environment=http_proxy= -Environment=https_proxy= +Environment=http_proxy= +Environment=https_proxy= ``` -### CCP(DKTK/C4) +There a further configurations for each project. + +#### CCP(DKTK/C4) + +For the federate search please follow the basic auth configuration step. + +### DKTK/C4 You can create the site specific configuration with: -``` shell -sudo systemctl edit bridgehead@ccp.service; -sudo systemctl edit bridgehead-update@ccp.service; - -``` This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. You share some of the ID-Management secrets with the central patientlist (Mainz) and controlnumbergenerator (Frankfurt). Refer to the ["Configuration" section](#configuration) for this. @@ -227,8 +217,6 @@ sudo systemctl daemon-reload; sudo systemctl bridgehead@ccp.service; ``` -### DKTK/C4 - You can create the site specific configuration with: ``` shell @@ -292,28 +280,22 @@ sudo systemctl daemon-reload; sudo systemctl bridgehead@gbn.service; ``` -### Developers - -Because some developers machines doesn't support system units (e.g Windows Subsystem for Linux), we provide a dev environment [configuration script](./lib/init-test-environment.sh). -It is not recommended to use this script in production! - ## Configuration ### Basic Auth -For Data protection we use basic authenfication for some services. To access those services you need a username and password combination. If you start the bridgehead with them, those services are not accesbile. We provide a script which set the needed config for you, just run the script and follow the instructions. +For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. If you start the bridgehead without basic auth, then those services are not accesbile. We provide a script which set the needed config for you, just run the script and follow the instructions. ``` shell -add_user.sh +add_user.sh ``` -If you are not using the systemd service, you need to export it yourself with +The result needs to be set in either in the systemd service or in your console. -``` shell -docker run --rm -it httpd:latest htpasswd -nb -``` -The result needs to be set in your current console with: +#### Console + +When just running the bridgehead you need to export the auth variable. Be aware that this export is only for the current session in the environment and after exit it will not be accessible anymore. ``` shell export bc_auth_user= @@ -321,11 +303,15 @@ export bc_auth_user= Cation: you need to escape occrring dollar signs. +#### systemd + + + ### HTTPS Access We advise to use https for all service of your bridgehead. HTTPS is enabled on default. For starting the bridghead you need a ssl certificate. You can either create it yourself or get a signed one. You need to drop the certificates in /certs. -The bridgehead create one autotmatic on the first start. However it will be unsigned and we recomend to get a signed one. +The bridgehead create one autotmatic on the first start. However, it will be unsigned and we recomend to get a signed one. ### Locally Managed Secrets diff --git a/lib/add_bc_user.sh b/lib/add_bc_user.sh index 744fe11..1f758aa 100755 --- a/lib/add_bc_user.sh +++ b/lib/add_bc_user.sh @@ -3,27 +3,10 @@ source lib/functions.sh log "This script add's a user with password to the bridghead" -if [ $# -eq 0 ]; then - log "No arguments provided, please provide the project name" - exit 1 -fi - -if [ ! -f /etc/systemd/system/bridgehead@$1.service.d/override.conf ]; then - log "Please create a Service first, with setup-bridgehead-units.sh" - exit -fi - read -p 'Username: ' bc_user read -sp 'Password: ' bc_password echo - -bc=`docker run --rm -it httpd:latest htpasswd -nb $bc_user $bc_password` - -if grep -q -E "Environment=bc_auth_users=" /etc/systemd/system/bridgehead@$1.service.d/override.conf ; then - x=`grep -E "Environment=bc_auth_users=" /etc/systemd/system/bridgehead@$1.service.d/override.conf` - sed -i "/Environment=bc_auth_users=/c\\$x,$bc" /etc/systemd/system/bridgehead@$1.service.d/override.conf -else - echo "Environment=bc_auth_users=${bc}" >> /etc/systemd/system/bridgehead@$1.service.d/override.conf -fi \ No newline at end of file +log "Please export the line in the your environment. Please replace the dollar signs with with \\\$" +docker run --rm -it httpd:latest htpasswd -nb $bc_user $bc_password diff --git a/lib/init-test-environment.sh b/lib/init-test-environment.sh deleted file mode 100755 index 78113d3..0000000 --- a/lib/init-test-environment.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -### This configuration file is intended for fast setup of a developers testenvironment. -### The settings made here are normally placed in the system units configuration. -### Refer to the readme on how to do this. -### On long term we want to move those to a zero knowledge passwort manager like bitwarden. - -### Configuration for Network Properties -# needed by the connector to resolve hosts address for ui-links and service status checks -export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}'); -# needed for the reverse proxy configuration of the services -export HOST=$(hostname) -# additional information about the local proxy if necessary -export HTTP_PROXY_USER="" -export HTTP_PROXY_PASSWORD="" -export HTTPS_PROXY_USER="" -export HTTPS_PROXY_PASSWORD="" - -### Configuration for Connector Secrets -# the password of database connector-db -export CONNECTOR_POSTGRES_PASS=pleaseChangeThis1 - - -### Configuration for Samply Store Secrets -# the password of database connector-db -export STORE_POSTGRES_PASS=pleaseChangeThis6 - -### Configuration for ID-Management Secrets -# the password of database patientlist-db -export ML_DB_PASS=pleaseChangeThis2 - -# the apikey of the localdatamanagement for the patientlist -export MAGICPL_API_KEY=pleaseChangeThis3 -# the apikey of the id-manager for the patientlist -export MAGICPL_MAINZELLISTE_API_KEY=pleaseChangeThis4 -# the apikey of the connector for the patientlist -export MAGICPL_API_KEY_CONNECTOR=pleaseChangeThis5 - -# the apikey of the id-manager for the central patientlist -export MAGICPL_MAINZELLISTE_CENTRAL_API_KEY=dktk[CentralS3cr3tKey]KNE; -# the apikey of the id-manager for the controlnumbergenerator -export MAGICPL_CENTRAL_API_KEY=dguQJ5IoqUrxCF8fNl6fOl2YvsZAVB1Y; -# client-id used for autheticating users in central ccp-authentication service -export MAGICPL_OIDC_CLIENT_ID=bridgehead-developers; -# client-secret used for autheticating users in central ccp-authentication service -export MAGICPL_OIDC_CLIENT_SECRET=1de49kn2j36qom15n7vkrve0g7pgh1f5p7v945pkl2hesak74bgek657tgi6or1hu5ji3m9lfrbhfa0g3haq18ebe205al4uoig9ii5;